Apple is trailing way behind Microsoft in security patch responsiveness, according to a study by security researchers.
Stefan Frei and Bernard Tellenback of the Computer Engineering and Networks Laboratory (TIK) at the Swiss Federal Institute of Technology, analysed several years of vulnerability disclosures and patching …

Smell the Coffee Mr Jobs!

I love my Mac. But it should be obvious to Mr Jobs that the key selling points of the mac ease-of-use and productivity suites (in my case being iWorks, iLife, & Aperture) will be fundamentaly undermined WHEN that productivity is stolen, corrupted, or otherwise held hostage by hackers spawning malware.

Steve Jobs, if you want to send me and others back to Linux or worse (oh dear god) Windows, then keep going as you are, don't change a thing.

Go on...

Crumbling Ivory Tower

Macs are coming under as much fire as PC's these days. I guess the its safer on a mac stance was basically because they were largely ignored now they are a contender its not just good attention they are getting.

They're here

Was going to post with idle speculation on how long it would take before the Apple apologists turned up - but I see they beat me to it.

Expect the legions of the brain washed to fill this column with how great Apple are and how willing they are to keep emptying their wallets for them. If they can show up as a positive comments on search results, maybe this report won't damage the Apple 'image' as much as it should!

Level and balance?

There is a big difference between a vulnerability that exists, but for which there is no exploit, and a vulnerability for which there IS an exploit "in the wild".

I have yet to receive the kind of funds to research this sort of matter extensively, but I would be willing to bet a box of brand new floppy disks that a relatively large number of the Microsoft vulnerabilities has actually been exploited, whereas there have been relatively few succesful exploits of same on the Mac platform.

One thing that would have been interesting to include in this research, is how many of the pulbished vulnerabilities were actually in software written by Apple Inc. themselves and how many were in bundled Open Source packages such as Apache. In the case of bundled Open Source software, Apple would have to rely on the developer community for that specific package to come up with a fix.

Alas I can't say much about the (un?)timeliness of the release of patches to Open Source packages. In the case of Microsoft; they only release proprietary software for which of course they should be able to fix any vulnerabilities very quickly.

Of course the nature of the vulnerabilities also differs greatly. For example I have heard and seen lots of complaints about QuickTime vulnerabilities of the kind that would require a user to visit shady sites and download even shadier movies in order to take effect. This kind of vulnerability is by no means comparable to the slew of Microsoft critical vulnerabilities which require no user interaction to have your PC join a botnet.

So on the one hand we have dodgy movies trying to trick you into giving someone access to your machine: on the other hand we have the usual wide open back doors that turn your PC over to the russian Maffia or anyone else who cares to hijack it. As far as I know there has yet to emerge any Mac-based botnet, while the number of Microsoft Windows Based PC's involved in botnets has risen over a million.

Of course Apple should work on their act, but they have not left the kind of backdoors open that Microsoft seem to include as a courtesy with every software release. Cue the millions of PC's sending us spam everyday courtesy of Outlook being a tool molded to hacker's hands.

Only researching patch time intervals does very little to convey the actual reality of the state of security matters on each platform. One could as well have researched the bytesize of the patches to conclude that bigger patches are more effective, and hence, the firm who has pushed the most bytes in security updates has won the security brownnose of the week prize.

Re: Level and balance?

"bla...bla... Only researching patch time intervals does very little to convey the actual reality of the state of security matters on each platform. One could as well have researched the bytesize of the patches to conclude that bigger patches are more effective, and hence, the firm who has pushed the most bytes in security updates has won the security brownnose of the week prize. Dead bird because the research proves nothing."

Let's see....

There are tens of millions of zombie windows computers out there and no zombie Macs. Which user has more to worry about?

And, no, I'm not saying that Mac users will never need to worry about security. Even today, if a computer user is stupid enough to click 'ok' repeatedly when asked to install software, ANY computer can be infected. But in practice, Windows users have infinitely more to worry about than Mac users - no matter how many of these sensationalistic stories the Register manages to publish.

Every time...

...I venture into another far-flung corner of the Interwebs and read yet another fascinating round of the apparently never-ending, never-changing yet endlessly pointless Mac vs PC flamewar, I can't help but wonder what mighty achievements are left unfulfilled, what life goals ignored, what potential cures for all the world's ills left unfound, how many extra keyboards are sold and how many relationships broken in the pursuit of a victory as Pyrrhic as it is unattainable

Geez

"Macs are coming under as much fire as PC's these days. I guess the its safer on a mac stance was basically because they were largely ignored now they are a contender its not just good attention they are getting."

WAIT A SECOND!

...I made this exact same prediction with the bloody iPhone!

Maybe, just maybe, it's proving to be true!

"There are tens of millions of zombie windows computers out there and no zombie Macs. Which user has more to worry about?"

How do you know there's no zombie Macs? Saying there are no zombie Macs is like saying there are no zombie UNIX/Linux boxes -- just not true, I've seen some myself.

RDS in full flow tonight..

Ok, I'll step in to be branded a fan boy

This sounds like sour grapes. Yes, apple has to work with researchers who find bugs and vulnerabilities to patch them. And they may have to stroke their ego's a bit more too but the bottom line is the less anyone knows about specific security flaws in an operating system the better! It is no surprise that the day or week after Microsoft issues a patch that a slew of new attacks come out to try to take advantage of these newly documented bugs.

Also, I have to say the basic idea behind this article is flawed. Apple has responded very quickly to all actual threats to it's users (which admittedly have been few so far). It has done so well, that even the couple of trojans that exist for the Mac have gotten huge press but caught very few victims.

So, here is analogy. This is like a teacher with two students. One spends 10 minutes a night on homework and Aces all the tests and the other spends 3 hours a night but can get better than a C. This article praises the C student predicts that once the work gets harder the A student will obviously fail.

All I'm saying is that I see no facts to support the C student over the A student.

@ Doug Petrosky re: OK, I'll step in to be branded a fanbbbboiiii

> the bottom line is the less anyone knows about specific security flaws in an operating system the better!

What you refer to goes by the stage-name of "security through obscurity", and it's

1.) Been discredited since long before the first time someone who hid their house keys under their doormat came home to find they've been burgled, and

2.) As realistic as belief in the healing power of crystals when it comes to OS security.

If Apple want people to develop software for their platform, they can't keep the inner workings of their OS secret. They have to let non-Apple people know how they map memory, how they prioritise the stack, how they write to the pattern buffer and assorted other garble. This is the information on which exploits are built, and it's out there for anyone with enough of an aversion to sunlight to use to haXOR an Apple box (crate?), and boast about it afterwards. As soon as one person knows, everyone knows.

Time was, IBM and M$ would respond to reports of exploits with cease-and-desist orders from their legal departments, and their customers would learn about the discovered hack when they got pwned months later. They largely learned their lesson. It's Apple's turn now.